Sunday, September 8, 2013

TORQUE Security Advisory - 6 September 2013


Vulnerability: A non-privileged user who can run jobs or login to a node running pbs_server or pbs_mom can submit an arbitrary job to the cluster; that job can run as root. The user can submit a command directly to a pbs_mom daemon to queue and run a job. A malicious user could use this vulnerability to remotely execute code as root on the cluster.

Versions Affected: All versions of TORQUE

Mitigating Factors:
- The user must be logged in on a node that is already legitimately able to contact pbs_mom daemons or submit jobs.
- If a user submits a job via this defect and pbs_server is running, pbs_server will kill the job unless job syncing is disabled. It may take up to 45 seconds for pbs_server to kill the job.
- There are no known instances of this vulnerability being exploited.

Remedy: All TORQUE users should patch their systems using the following instructions:

For 2.5.x versions of TORQUE:
----------------------------
1. Download the patch file:
     $ wget http://www.adaptivecomputing.com/torquepatch/fix_mom_priv_2.5.patch
2. Run the patch command in the root directory of the TORQUE source tree:
     $ patch -p1 < fix_mom_priv_2.5.patch
3. Recompile TORQUE:
     $ make
4. Install TORQUE:
     $ sudo make install
5. Restart pbs_mom (pbs_server is not affected)


For 4.x versions of TORQUE:
----------------------------
1. Download the patch file:
     $ wget http://www.adaptivecomputing.com/torquepatch/fix_mom_priv.patch
2. Run the patch command in the root directory of the TORQUE source tree:
     $ patch -p1 < fix_mom_priv.patch
3. Recompile TORQUE:
     $ make
4. Install TORQUE:
     $ sudo make install
5. Restart pbs_mom (pbs_server is not affected)

What the Patch Does: The patch checks that the connection to the pbs_mom daemon is coming from a privileged port. This follows the security model that only privileged users should be able to submit arbitrary jobs.

Attribution: This vulnerability was discovered by John Fitzpatrick of MWR InfoSecurity. Matt Ezell of Oak Ridge National Laboratory assisted in creating the patch. We thank these individuals for helping to improve TORQUE.

No comments: